ATMs vulnerable to hackers

- banking source warns

Concerns over the possibility of hacking could be among the reasons for the limited number of stand-alone Automatic Teller Machines (ATM) installed by commercial banks even in the face of complaints by customers over the lengthy queues, a banking source has said.

And in a response sent to this newspaper, to a reader’s letter, Michelle Johnson, Marketing and Communica-tions Manager of Republic Bank Ltd said that the bank recently became aware of suspicious activity at one of its ATM locations.

This, she said, prompted an immediate move by the bank to safeguard customers’ affairs.

How safe is our money

“Among our actions have been, the recall of possibly compromised cards and contacting those cardholders as a matter of urgency to advise of the situation and offer a replacement card, free of cost,” Johnson said in her letter to this newspaper.

“Customer care and convenience remain our highest priority in this exercise as we continue our activities to protect all possibly affected customers.”

Meanwhile, the banking source said that the occurrence was likely to create “some measure of unease” within the local banking community as a whole and that the attack of the Republic Bank facility was probably likely to cause other commercial banks to review the security of their ATMs.

The source told Stabroek Business that though he was only a “middle level” commercial bank employee and was not seeking to articulate “an official commercial bank position” he was aware of some of the discussions within the commercial bank with which he is employed regarding “the issue of long queues and the public demand for more ATMs.

He said what the recent Republic Bank hacking incident could mean is that “commercial banks are now likely to be far more cautious about installing stand-alone ATM’s” – machines installed at locations other than at the banks themselves – since this allows more time and opportunity for hackers to do their work.

According to the banking official this is not the first occasion on which hacking has been attempted at local ATMs neither is Republic Bank the only local commercial bank at which attempts have been made to make illegal withdrawals from customer accounts. “These are not occurrences that commercial banks make public. What they tend to do is to notify the customers whose accounts may have been hacked and recall their cards as has been the case with the recent Republic Bank incident. But the main concern usually has to do with not saying too much because they tend to worry about the possibility that once such matters are put in the newspapers account holders might start to lose confidence in the ATMs.” Republic Bank has declined to name the location where the recent hacking incident occurred and other commercial banks with which this newspaper spoke declined to give any comment on ATM hacking.

Asked about the issue of refunding monies lost by customers on account of hacking the source said that in cases where there is proof of hacking the account holder should get a refund. “It is a question’s of the bank’s responsibility to secure customers deposits and where, for reasons that have nothing to do with the account holders such security is breached then it falls to the bank to take the responsibility,” the source said.

According to the source, skilled hackers have been able to secure cash from ATM’s by “hijacking” the computers that control the procedures for dispensing cash. “These are not your run-of-the-mill bandits. Hacking is the work of highly skilled people who often work alone. These are people who are aware that ATMs are by no means tamperproof,” the banking official said. He explained that among the common hacking methods are the installation of fake card readers that steal the pin numbers of account holders and concealing small surveillance cameras to secure pin codes.

He said that other hackers find ways of compromising the dispensing slots of ATMs and withdrawing monies after the account holders leave thinking that their transaction attempts have failed. “Hacking practices tend to be more common at stand alone ATM situated near convenience stores and inside service stations. It is a bit more risky to tamper with the ones installed at bank branches.”

And according to the source while commercial banks employ different types of software, ATM hackers have found ways of “probing and exploiting software vulnerabilities and security weaknesses” many of which tend to be common in many types of machines. The official said that ATM hacking has now become a global practice and manufacturers were now being placed under increasing pressure by banks to respond to the problem by investing in rendering their software and security systems more tamper-proof.

Asked about the implications of hacking for the security of local depositors’ monies the official said that while the practice required considerable skill and “knowledge of the technology and how it works” people should be aware that ATM machines are not tamper proof. He said that while there was no evidence that the practice was widespread in Guyana it was up to the banks to “zero in” on the practice and work with manufacturers to address the issue as far as they could. “The problem is that hacking is a specialized pursuit that is not easily detectable by members of the public or by the people in law-enforcement.”

On the issue of the frequency with which would-be hackers attempt to access ATM machines in Guyana the source said that “it is hard to say” though “there is really no reason to believe that there are not several people in Guyana who may have some knowledge of hacking.” He said hacking is “a learnt skill” and “it could be learnt here in Guyana in much the same way that it is learnt elsewhere. He said that he had done some reading on the subject and was aware that in other countries including the United States hackers go to “a great deal of trouble” including studying the computer systems of commercial banks to determine how the security features could be circumvented and acquiring and studying the ATM machines themselves.